In the past, security of communications was provided through the use of encryption technologies. When using encryption, data that is communicated is first mapped from its useful state to another obfuscated state wherein it is inaccessible even it intercepted. Before being “used,” the data is mapped back to its useful state. Mapping the data is referred to as encoding and mapping the data back is referred to as decoding. The terms encrypting and decrypting, respectively, are also commonly used. There are many methods of obfuscating data having varying degrees of security. Some of these include DES, triple-DES and CAST. Often, security systems support improvements in the encoding algorithms used to enable enhanced security algorithms to later be adopted.
For securing communications, two common models are used, point to point level security and data level security. In point to point level security, two endpoints in a communication medium secure communications therebetween. For example, two radio transceivers for use in military applications set up a secure channel, an agreed upon encoding/decoding method. All data transmitted is encoded prior to transmission and all data is decoded upon receipt. Encoding systems used for data of this type are usually optimized for encoding and decoding data within a stream of data. In data level security, data is encoded into a file and that file is then transmitted. The received encoded file is then decoded to extract the original data. A common form of this type of encoding system is Pretty Good Privacy® (PGP) a commonly available software encryption package for personal computers.
A Secure Virtual Private Network (SVPN) is a secure form of a virtual private network (VPN). A VPN provides an appearance to users of the network of a physically connected network of workstations. This appearance is provided even when some workstations and sub-networks are disposed remotely from the core of the network. As such, a person working from home feels as if they are physically coupled to the network though they are not. Commonly, VPNs are implemented using a wide area network such as the Internet as a communication medium. A workstation is coupled to an Internet provider via a modem connection, the core network is coupled to the Internet through a gateway and the workstation communicates with the network to provide functionality as if a dedicated dial-up connection were made therebetween.
For a user of the workstation, the connection to the Internet and the gateway is transparent. Thus, the term virtual in both VPN and SVPN. An SVPN also comprises means for securing data transmitted via the Internet to the gateway in order to prevent interception and access to sensitive data. Commonly, this means for securing data includes a processor for encrypting and decrypting data. Even if intercepted, the encrypted data is not accessible.
In order to support data level security of SVPN communication, data is received at a gateway and is transferred from gateway memory to working memory where the data “pieces” are reassembled to form complete messages and/or transmissions. These complete messages and/or transmissions are then decoded and the data then routed within the private network to a destination. Alternatively, the data is re-encoded and transmitted back through the SVPN to the destination. Thus, a gateway has to support receiving data within a serial stream, processing the data to determine an associated data location within memory, transferring the incoming data to the associated location in memory and monitoring memory locations for complete messages that require decoding. This requires costly hardware and complicated timing to support memory transfers, serial data stream reception and file decoding.
A common approach to securing data is to use a main processor within a gateway to perform data ciphering operations. Data ciphering includes encoding and decoding of data. Once data is ciphered, operations relating to data integrity such as hashing the data is performed. Data to be transmitted is encrypted and hashed, with hashed data added to the encrypted data. Data received is verified and then decrypted.
The processor accesses a memory buffer to read and write data before and after processing it. Unfortunately, data bus access is a common bottleneck in processor based systems. The prior art approach described above requires four memory access operations—writing received data to the buffer, reading the data for processing, writing the data after processing, and reading the data for forwarding same to a destination. Thus, even though a processor is often fast enough to handle the requisite processing, the bus access limits the overall efficiency of such a system.
It would be advantageous to simplify the ciphering of data within a serial data stream when received by the gateway.
In order to overcome the above limitations of the prior art, it is an aspect of the invention to provide a method of ciphering data received by a gateway, the data ciphered absent accessing the memory buffer via the data bus.
It is an aspect of the invention to provide a method of encoding data for transmission via a wide area network, the data ciphered and processed for determining integrity in parallel.